论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2005-12-02 11:32 |只看该作者 |倒序浏览

最近对pf进行了一下安装测试，发现pf无法使用synproxy state：
我的系统是FreeBSD 6.0 release
pf的规则如下：
ext_if = "em0"
scrub in on $ext_if all
block in on $ext_if all
block out on $ext_if all
pass quick on lo0 all
pass in quick on $ext_if proto tcp from {202.101.232.190 202.59.89.126} to $ext_if port ssh S/SA keep state
以上规则可以从两个被允许的IP登录ssh，因synproxy state可以防御TCP SYN FLOOD，因此决定将keep state改为synproxy state，结果是无法登录ssh，烦请各位帮忙检查以上规则是否存在问题。
当然我的服务器没有工作在桥模式下，以下是内核配置文件：
machine       i386
cpu          I686_CPU
ident          TEST

maxusers       500
options       SCHED_ULE
options       PREEMPTION
options       IPI_PREEMPTION
options       INET
options       FFS
options       SOFTUPDATES
options       UFS_ACL
options       UFS_DIRHASH
options       PROCFS
options       PSEUDOFS
options       COMPAT_43
options       COMPAT_FREEBSD4
options       COMPAT_FREEBSD5
options       SCSI_DELAY=5000
options       SYSVSHM
options       SYSVMSG
options       SYSVSEM
options       _KPOSIX_PRIORITY_SCHEDULING
options       KBD_INSTALL_CDEV
options       ADAPTIVE_GIANT
options       IPSTEALTH
device       apic
device       pci
device       fdc
device       scbus
device       da
device       amr
device       atkbdc
device       atkbd
device       vga
device       sc
device       em
options       DEVICE_POLLING
options       HZ=1000
device       pf
device       pflog
device       loop
device       random
device       ether
device       pty
device       usb
device       umass
options       SMP